Fraud is now one of the UK’s most common crimes. Authorised push payment (APP) has become a major pain point for banks, and it can have a devastating effect on consumers and corporates alike.
The banking and finance industry has invested heavily in protecting its customers from payment fraud in recent years. It has partnered with government and law enforcement to establish strategic priorities requiring regulatory transformation, such as the Economic Crime and Corporate Transparency bill, the Financial Services and Markets bill and the Contingent Reimbursement Model Code for APP Scams. It has improved intelligence, data sharing and collaboration among key players through initiatives set up by The Banking Protocol, the National Economic Crime Centre, the UK Finance Intelligence and Information Unit and the Dedicated Card and Payment Crime Unit (DCPCU). And most recently, the Financial Conduct Authority (FCA) and the Payment Service Regulator (PSR) jointly ran a TechSprint, which gave regulators the opportunity to collaborate with industry and fintech participants to better understand the technology available, ways in which data can be shared, and possible gaps and barriers in APP fraud.
Watch Andrew Barnett, Head of Fraud for Financial services at Deloitte, and other industry experts discuss the latest in APP technology.
Positive data from the UK Finance 2022 Report
The half-year update revealed good news, as the amount returned to victims of APP scams has increased, rising by 11% to £140.1million in the first half of 2022 or 56% of the total loss as a result of current measures. However, “criminals have continued to focus activity mainly on socially engineering their victims, usually with the intention of tricking them into authorising a payment to an account within their control (known as APP Fraud).” Compared with the same periods for 2021 and 2020, the data shows a 17% drop from 2021, but it’s still 30% higher than 2020. This highlights the ongoing focus from the banking and finance industry to reduce APP fraud.
Delving deeper, the report identifies scams that continue to drive fraud losses, despite the overall decrease in fraud levels:
- Losses due to romance scams increased by 31% in the first half of 2022
- There has also been an increase in the number of purchase scams, although the total value of losses fell. Purchase scams account for 56% of all APP scams reported in the first half of 2022
- Investment scams also remain an area of considerable concern and currently account for the largest proportion of losses for every type of APP scam, despite a 32% fall in losses as customers strive to ensure their savings stay pace with inflation
New guidance for fighting the fraudsters
The PSR appreciates the effort invested by the industry in detection and prevention technology and in improving consumer awareness, but is conscious that reimbursement numbers remain just above 55%. They propose that more needs to be done to fight payment fraud. The new guidance comes three years after the CRM Code (Contingent Reimbursement Model) was introduced in May 2019. Following the CRM Code is voluntary, and the ‘in-force’ date essentially meant that payment service providers (PSPs) which signed up would deal with APP scams in accordance with the Code from that date. Given that not all industry PSPs were signatories, the level of protection remained low for consumers, leaving them exposed to significant risk. Combining the proposed and existing approaches with the recent Financial Services and Markets Bill moves the market towards even heavier regulation, as it gives regulators like the FCA the ability to enforce given “voluntary” guidance.
Challenges for the industry
If the PSR goes ahead with its recommended approach, the UK will undoubtedly have one of the most consumer-centric reimbursement models in the world. Considering the implications for the industry, key areas that drew our attention were:
Significant changes in the liability model
Currently, reimbursement costs are fully covered by the sending bank. The new guidance proposes:
- a 50:50 split of the customer refund between both the sending and the receiving bank
- a minimum threshold for reimbursement claims (no more than £100)
- banks withhold an ‘excess’ (no more than £35)
However, even with the proposed allocation, fraud costs for institutions are expected to increase by an estimated £248m annually based on latest UK Finance figures. The existence of certain excess allowance and thresholds will allow some flexibility for the institutions. But some key questions remain:
- How will receivers feel about the revised liability model, where KYC is up to date and there is no prior evidence of wrongdoing?
- Is this sustainable, especially for smaller organisations?
- Is relying on the inherit cap of the Faster Payment scheme (max FP transaction £1m) sufficient? In contrast, the Consumer Credit Act caps liability at £30,000.
- Is there room for more realistic data-backed caps that would benefit both customers and banks?
The need for clearer guidance
Gross negligence remains a broad term with room for interpretation on a case-by-case basis. The industry challenged the PSR on the need for more clarity in a round table/QA session held in October and their response is eagerly anticipated. Defining clearer guidance for the criteria of reimbursement has been a challenge on both ends – banks and regulator – since the publication of the CRM. Another aspect to be considered in this area is the exceptions risk versus the customer experience. Will banks continue to have the same appetite for risk? Or will we start seeing them closing relationships and limiting product offerings, leading to a shrinking industry and a worse customer experience?
Implementing the guidance
One immediate effect we foresee emerging from the implementation of the proposed guidance is the increased monitoring of inbound payments and the need for faster adoption of real-time transaction monitoring. This would address the increased complexity and unique nature of today’s scams. This change would potentially mean transitioning to an AI/ML driven approach for payments and screening to account for complex patterns in both inbound and outbound payments, combined with advanced customer behavioural analytics. Additional investment will be required in people and technology in order to make the necessary operational changes. What are the potential “hidden” operational costs of the PSR’s proposal?
There’s a clear incentive to engage the industry on this growing problem and the PSR welcomes all feedback until 5pm on 25 November 2022. As 2023 nears, it will be interesting to see how firms and consumers adapt their approaches to tackling APP fraud and the extent to which the PSR enforces its guidance and expectations.
If you would like to discuss any of the issues raised in this blog, please contact Andrew Barnett, Head of Fraud for Financial Services at Deloitte.
CP22/4: Authorised push payment (APP) scams: Requiring reimbursement | Payment Systems Regulator (psr.org.uk)
Half Year Fraud Report 2022 | Policy and Guidance | UK Finance
Authorised Push Payment Fraud TechSprint | FCA